On Mon, May 25, 2015 at 10:33:06AM +0200, Bastian Blank wrote: > On Mon, May 25, 2015 at 09:51:41AM +0200, Thomas Koch wrote: > > On Sunday 24 May 2015 13:02:38 Thomas Koch wrote: > > > Git supports signing of commits since version 1.7.9. Everybody should sign > > > git commits always. > > There is however the argument that by signing every commit by default one > > may > > accidentally publish a signature on some unverified code and somebody else > > may > > trust this code because of this.
What's wrong with that? The signature means that you wrote it. It doesn't mean that it is perfect. > Much worse, do you trust all your development machines with your private > key? I clearly don't, as I neither have sole control over them, nor are > all of them located in jurisdictions I can expect any help against > seizure. With Debian packages I upload I can use debsign to sign a build after it was built. Can I sign git commits / annotated tags in retrospect? -- Tzafrir Cohen | tzaf...@jabber.org | VIM is http://tzafrir.org.il | | a Mutt's tzaf...@cohens.org.il | | best tzaf...@debian.org | | friend -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150525125453.gc20...@lemon.cohens.org.il
